policy_module(example,1.0.0)

########################################
#
# Declarations
#

type example_t;
type example_exec_t;
domain_type(example_t)
init_daemon_domain(example_t, example_exec_t)

type example_script_exec_t;
init_script_type(example_script_exec_t)

type example_var_run_t;
files_pid_file(example_var_run_t)

type example_spool_t;
files_type(example_spool_t)

########################################
#
# example local policy
#

# Init script handling
domain_use_interactive_fds(example_t)

## internal communication is often done using fifo and unix sockets.
allow example_t self:fifo_file rw_file_perms;
allow example_t self:unix_stream_socket create_stream_socket_perms;

corecmd_search_sbin(example_t)

files_read_etc_files(example_t)

kernel_read_system_state(example_t)

libs_use_ld_so(example_t)
libs_use_shared_libs(example_t)

miscfiles_read_localization(example_t)

manage_dirs_pattern(example_t, example_var_run_t,  example_var_run_t)
manage_files_pattern(example_t, example_var_run_t,  example_var_run_t)
files_pid_filetrans(example_t,example_var_run_t, { file dir })

allow example_t example_spool_t:dir manage_dir_perms;
allow example_t example_spool_t:file manage_file_perms;
allow example_t example_spool_t:sock_file create_file_perms;
files_spool_filetrans(example_t,example_spool_t, { file dir sock_file })

sysnet_dns_name_resolve(example_t)
corenet_all_recvfrom_unlabeled(example_t)

allow example_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(example_t)
corenet_udp_sendrecv_all_nodes(example_t)
corenet_udp_sendrecv_all_ports(example_t)
corenet_udp_bind_all_nodes(example_t)
corenet_udp_bind_monopd_port(example_t)

auth_use_nsswitch(example_t)

logging_send_syslog_msg(example_t)

mta_send_mail(example_t)